1.1.2 Ensure /tmp is configured

Information

The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.

Rationale:

Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.

This can be accomplished by either mounting tmpfs to /tmp, or by creating a separate partition for /tmp.

Impact:

Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.

If /tmp does not already exist on the system as a separate partition or tmpfs mount, the directory /tmp needs to be reviewed for contents that may not be removed by a reboot.

Solution

For new installations, during installation create a custom partition setup and specify a separate partition for /tmp.
For systems that were previously installed, configure /etc/fstab as appropriate.
Example:

tmpfs/tmptmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0

Note: This change will no be effected until the system has been re-booted or a re-mount /tmp command is executed. If re-mount is performed, the contents of /tmp at the time of the re-mount will become inaccessible.

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|3.1, CSCv7|5.1

Plugin: Unix

Control ID: a30806a83a31cff1883052da0a7bc77a556e050ce55748cc939a47c0d48f77cd